Sherman's Security Blog
I am Sherman Hand. (also known as Policysup) I have created this blog and will use a part of my day to write about what is going on in the world. I hope to discuss things in a down to earth and practical way. I hope to hear back from you on your thoughts. I do not in any way intend to speak for my employer. The content of this blog will be either opinions that are strictly mine, general observations,re posts, or information that is already in the public domain.

Do you know who has access to your organization’s network? Are you confident that all the users on your network are authorized to access your systems, and have a good idea of what devices have been connected to your firm’s systems?

If so, good for you.

But not all organizations have such tight control over who gains access to their IT infrastructure. One place, however, where you might hope that access would be tightly policed would be in a prison…

However, the Ohio Inspector General’s Office has just published a report revealing that two prison inmates were able to hide their own self-built PCs in the ceiling of a training room *and* connect them to the Marion Correctional Institution’s network.

Prison staff found the PCs back in 2015, but the security breach has only now been made public with the Inspector General’s investigation into the incident.

The first hint for prison authorities that something out-of-the-ordinary was occurring popped up in July 2015, when a security product sent an email alert to IT staff warning that a contractor’s PC connected to the Ohio Department of Rehabilitation and Correction’s (ODRC) network had exceeded its daily internet access quota.

Which was odd, because the contractor in question – Randy Canterbury – only worked Monday through Thursday. And the alert triggered on Friday, July 3 2015.

Two weeks later on Friday July 17, 2015, another alert appeared, again linked to Randy Canterbury’s account, and this time associated with attempts to access proxy avoidance websites.

Deeper investigation identified the computer’s IP address, and that it was unauthorized because its name fell outside of the six numbers assigned to known computers in the PC training area.

Carl Brady, who was responsible for IT support at the institution, takes up the story:

I had been told there was a PC on our network that was being used to try and hack through the proxy servers. They narrowed the search area down to the switch in P3 and the PC was connected to port 16. I was able to follow the cable from the switch to a closet in the small training room. When I removed the ceiling tiles I found two PCs hidden in the ceiling on 2 pieces of plywood.

Lax supervision is being blamed for the inmates’ ability to build computers from parts, sneak them past security checks and hide them in the ceiling.

The inmates were also able to run cables which connected the computers to the prison network without being noticed.

“It surprised me that the inmates had the ability to not only connect these computers to the state’s network but had the ability to build these computers,” Ohio Inspector General Randall J. Meyer told local media. “They were able to travel through the institution more than 1,100 feet without being checked by security through several check points, and not a single correction’s staff member stopped them from transporting these computers into the administrative portion of the building. It’s almost if it’s an episode of Hogan’s Heroes.”

Certainly the inmates’ usage of the computers was audacious, not limiting themselves to downloading software, pornography and guides for making drugs and explosives, but also stealing the identity of another prisoner and submitting fake credit card applications and committing tax fraud.

In all, five inmates have been identified as linked to the hidden computers and moved to other institutions.

If this could happen in a prison where you expect security to be strict, you have to recognize that similar breaches could happen in your own organization. It’s clear, for instance, that the prisoners would have had a much more difficult time pulling off their scheme if they had not managed to ascertain the password of a legitimate contractor – albeit one who didn’t work on Fridays.